Define IGMP-based multicast forwarding

You can configure IGMP-based multicast forwarding for a specified Firewall element.

IGMP-based multicast forwarding (IGMP proxying) is implemented on the Firewall based on RFC 4605. IGMP-based multicast forwarding is only supported in tree topology networks. RFC 4605 includes support for source-specific multicast (SSM) with IGMP version 3. SSM is not supported with IGMP-based multicast forwarding. However, you can configure Access rules that filter multicast traffic based on the source.

The firewall maintains a membership database of the subscriptions from the downstream networks and sends unsolicited reports or leaves on the upstream interface when the subscription database changes. It also sends IGMP membership reports when queried on the upstream interface.

Note: Make sure your IPv4 Access rules allow this traffic to pass through the firewall.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an NGFW Engine, then select Edit <element type>.
  2. Browse to Routing > Multicast Routing.
  3. Select IGMP Proxy as the Multicast Routing Mode.
  4. (Optional) Select the Upstream Interface and the IGMP Querier Settings for it.
    • If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the Upstream Interface. In that case, leave Not Set selected for Upstream Interface.
    • (Firewall Clusters only) You can only select as the Upstream Interface an interface that has a Cluster Virtual IP Address (CVI). You cannot select a Heartbeat Interface as the Upstream Interface.
    • You might need to select a specific IGMP Querier Settings element, for example, to troubleshoot multicast accessibility on hosts, or if some hosts use an earlier IGMP version.
  5. Click Add to define Downstream Interfaces.
    The firewall periodically queries the downstream networks for hosts that want to join or leave the multicast host group.
    A new entry appears in the table.
  6. Click the Interface cell and select the Downstream Interface from the list.
    • You can use each interface only once in the IGMP proxy configuration.
    • (Firewall Clusters only) The interface that you select as a Downstream Interface must have Node Dedicated IP Addresses (NDIs). It cannot be a Heartbeat Interface. It is recommended that the Node Dedicated IP Addresses increase in the same order on each node: for example, 192.168.1.10 and 192.168.2.10 for node A, and 192.168.1.11 and 192.168.2.11 for node B.
    Note: The downstream interfaces must have the lowest IP addresses among all IGMP queries in the local networks.
  7. Click the IGMP Querier Settings cell, then select the IGMP Querier Settings element that uses the IGMP version for the downstream interface.
    You might need to select a specific IGMP Querier Settings element, for example, to troubleshoot multicast accessibility on hosts, or if some hosts use an earlier IGMP version.
  8. Click Save and Refresh to transfer the changed configuration.

Engine Editor > Routing > Multicast Routing

Use this branch to define static multicast, IGMP-based multicast forwarding, or PIM dynamic routing. Only IPv4 addresses are supported.

Option Definition
Multicast Routing Mode Specifies how the NGFW Engine routes multicast traffic.
  • None — Disables multicast routing.
  • Static — Enables options that allow you to add static routes for multicast traffic.
  • IGMP Proxy — Enables options that allow you to use the NGFW Engine for IGMP-based multicast forwarding.
  • PIM — Enables options that allow you to use the NGFW Engine for dynamic routing using PIM.
Option Definition
When Multicast Routing Mode is Static

Click Add to add a row to the table, or Remove to remove the selected row.
Source Interface Select the interface to use for multicast routing.
Source IP Address Enter the unicast IP address of the multicast source.
Destination IP Address Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255.
Destination Interface Right-click Destination Interface, then select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded.
Comment

(Optional)

 A comment for your own reference.
Option Definition
When Multicast Routing Mode is IGMP Proxy
Upstream Interface Select the interface to use as the upstream interface. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the upstream interface. In that case, leave Not Set selected.
Upstream IGMP Version Select the IGMP version according to the upstream network environment. The default IGMP version is version 3.
Downstream Interfaces table

Click Add to add a row to the table, or Remove to remove the selected row.
Interface Select the downstream interfaces.
IGMP Querier Settings Select an IGMP Querier Settings element according to the downstream network environment. The element defines the IGMP version and query parameters.
Option Definition
When Multicast Routing Mode is PIM
PIM Profile Select a PIM Profile to use. The profile contains the multicast groups and determines the PIM mode that is used.
MRoute Preference
Note: This option is not supported in this version of Forcepoint NGFW.
The routing table is used to specify reverse path forwarding (RPF) information whenever multicast traffic from source addresses uses a different path than unicast traffic from the same source address.
  • Best Match Preferred — The RPF lookup prefers the best match based on both the default routing table and the Multicast routing (mroute) table.
  • MRoute Preferred — The RPF lookup uses the mroute table. If the mroute table cannot be used, the default routing table is used.
Bootstrap Settings — see RFC 5059 for more information.
RP Candidate If you want to use the firewall as a rendezvous point (RP) candidate, select an IP address. Otherwise, select Not a Candidate.
RP Priority Enter a value for the RP priority.
Multicast Groups Add the multicast IPv4 networks for which the firewall acts as an RP candidate. Click Add to add a row to the table, or Remove to remove the selected row.
BSR Candidate If you want to use the firewall as a bootstrap router (BSR) candidate, select an IP address. Otherwise, select Not a Candidate.
BSR Priority Enter a value for the BSR priority.

IGMP Querier Settings dialog box

Use this dialog box to create an IGMP Querier Settings element.

Option Definition
Name The name of the element.
IGMP Version Select the version of IGMP to use.
Query Interval Enter how often the hello packet is sent in seconds. This option is not supported when IGMP Version is IGMPv1.
Robustness Enter the robustness value. If you expect packet loss in the network, increase this value to send more IGMP messages. This option is not supported when IGMP Version is IGMPv1 or when the IGMP Querier Settings element is used for PIM.
Comment

(Optional)

 A comment for your own reference.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.